How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection
|Article:TECH97449|||||Created: 2009-01-16|||||Updated: 2015-03-09|||||Article URL http://www.symantec.com/docs/TECH97449|
You have files that have been quarantined by Symantec Endpoint Protection (SEP) on a local computer, and have been directed to manually submit them via the online submission form rather than from within the product interface.
Note that is is usually not necessary to submit files that are already detected and quarantined by Symantec products. Please see the Connect article Symantec Insider Tip: Successful Submissions! for additional recommendations on what to submit and what not to submit.
Note: This document only covers submitting files from SEP clients, not from a legacy standalone Central Quarantine Server (CQS).
To gather files to submit
- Navigate to the Quarantine folder. The path will be differnt with different version and operating systems. Here are some examples:
<OS drive>\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine
<OS drive>\ProgramData\Symantec\Symantec Endpoint Protection\12.1.xxx.xxxx.xxx\Data\Quarantine
- The .VBN files at the root of the quarantine folder, are logs and do not contain the quarantined item. However, for each .VBN file in the Quarantine folder there should be another folder with the same name as the .VBN file. You will need to navigate to this folder
Example: If there is a file named ABCD1234.VBN in the Quarantine folder, there should also be a folder named ABCD1234 in the Quarantine folder. This folder contains a different ABCD1234.VBN file, that actually contains the sample. If in doubt when comparing .VBN files with the same name, always send the larger file.
- In this folder are the .VBN files that need to be submitted. Copy the desired .VBN file to the desktop for easy access. Do not zip or rar .VBN files that are to be submitted.
- Open a web browser and visit the appropriate URL as provided by support.
Upload the file(s) as directed by the web page.
There may be multiple .VBN files located in the Quarantine file.
These files are encrypted but if they are opened in a text editor (such as notepad.exe) the orginal file name can be read at the top.
If there are multiple .VBN files present and you are unsure of which file(s) to submit, we recommend that you open the SEP interface, access Quarantine and remove everything except for the file(s) you want to submit. Do not zip or rar .VBN files that are to be submitted. Instead create a new submission for each .VBN file.
These files are encrypted by Symantec in such a way that we can decrypt them for inspection. While they do potentially contain an infection, due to the proprietary encryption used, there is no danger of infection from these specific files while moving them.
For information on how to submit a suspected False Positive to Symantec, please read: Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe
Article URL http://www.symantec.com/docs/TECH97449